New York Fall
September 10, 2014

Security Leaders Summit Hilton Avenue of the Americas

The Security Leaders Summit New York Fall was held on Wednesday, September 10, 2014 at the Hilton Avenue of the Americas. The Summit brought together an outstanding community of senior IT executives for engaging peer-level interaction, discussions on new approaches to managing complexities in Information Security and provided opportunities to collaborate with leaders in the industry. Throughout the day, the Summit Hosts, representing companies across a diversity of industries and sizes, shared insights and knowledge with the distinguished group of attendees through their presentations, interviews and breakout roundtable discussions.

“The Security Leaders Summit provided for a great program with great value.”
Rich Carson, Chairman – SAINT Corporation

Summit Recap

Summit Emcee, Richard Warner, kicked off the the 2014 Security Leaders Summit in New York with 80+ senior executives from across the area in attendance. Earlier in the morning, guests had the opportunity to enjoy breakfast and engage with their colleagues and Summit Sponsors.

“The Rising Value of the CISO” was the topic of the Opening Keynote, presented by Matt Comyns, Global Co-head of the Cyber Security Practice at Russell Reynolds Associates. Matt shared insights into the increasing value of the role to the business and the shift in compensation to align with the increased value. At large global companies where CISOs are dealing with a wide range of complex issues, compensations are in the $500,000+ range with bonuses. Matt stated the “rising tide in compensation is moving the average minimum to $300,000 and above.”

Matt wrapped up his keynote with his perspective on what separates the top tier CISOs from the rest – vision, polished communication skills that provide for a great presence, and the ability to attract talent to the organization. Matt stressed the use of an executive coach as a way to help fast track a CISO career.

In the interview session, “Leadership Challenges,” Todd Bearman, Chief Information Security Officer of Towers Watson, facilitated discussions with Justine Aitel, Chief Information Security Officer of Dow Jones & Company, and Anthony Johnson, VP & Chief Information Security Officer at Fannie Mae. In working for a publishing company, Justine is focusing on new ways to bring in revenues as a way to reflect increased value from her organization and working with the company to further leverage social media for both customer and employee retention. Anthony has laid out a plan to work closely with the business units to streamline complexities in managing risks. Todd brought to light the need for CISOs to more aggressively position themselves to have greater access to the C-Suite and Board.

The morning break provided guests with the opportunity to grab more coffee, enjoy fruit smoothies, and continue discussions with their peers.

In the Executive Briefing, “One Day Wonders…How Cyber Criminals Are Hiding in Plain Sight…” Grant Asplund, Director of Evangelism at Blue Coat Systems, Summit Platinum Sponsor, shared some of the latest trends that are highlighting the increased need for real time global intelligence. Over a 90 day period, of the 660 million new hostnames, 470 million existed 24 hours or less. Grant stated that while most of these are legitimate and exist to deliver a better user experience, 22% of the top 50 domains responsible for these ‘one-day-wonders’ were identified as malicious.

In his presentation, Grant discussed the need for organizations to utilize security controls with real-time global intelligence, have solutions in place that comprehensively assess and assign a risk value based on multiple factors including context around domains, IP address, and site popularity, the need for a baseline of hostnames for rapid detection of anomalies and the need for highly granular policy controls to include detailed policy creation, threat risk levels and hostname baselines to help automate defenses and fortify security postures.

After lunch, Emcee, Richard Warner, spoke with Shardul Shah, Principal at Index Ventures, on “Trends from an Investor’s Perspective.” Shardul discussed some of the latest trends in information security he is seeing, direction of products coming to market, and what a company like his looks for and invests in as far as the “next big idea.

ViJay Viswanathan, Chief Information Security Officer at HD Supply presented on “Intelligence Driven Security. ViJay shared the knowledge gained from his multi-year journey to create and implement a unique Intelligence driven Risk Management Framework. While the company is now beginning to reap rewards for efforts to-date, ViJay discussed the keys to success require a definite commitment from the business as substantial expense is involved, the collection of typically huge volumes of data to be able to baseline, and the need for a team that understands the business and has the expertise to filter data.

Always rated highly by Summit attendees, the Executive Roundtables offered the opportunity to spend the remaining afternoon in peer-to-peer discussions on a range of topics. Topics were facilitated by Summit hosts including Deb Snyder, Acting Chief Information Security Officer at NY State Office of Information Technology Services, Kostas Georgakopoulos, Americas Head of IT Security at UBS, John Hibbs, Chief Information Security Officer at GE Capital, John Whiting, Business Information Security Officer at AIG, Ray Hawkins, Chief Information Security Officer at Genesis HealthCare Corporation and Teresa Zielinski, Chief Information Security Officer and Risk Leader at GE Power and Water.

At the Executive Roundtable discussions, guests had the opportunity to rotate to a second topic that was of interest to them. The Roundtable discussions wrapped up with debriefs of each of the topics by the Summit Hosts. Picture is John Whiting, Business Information Security Officer at AIG, providing one of the debriefs.

The Summit concluded with guests enjoying the afternoon Reception.

Be sure to visit the photo gallery.

Platinum Sponsor

Blue Coat Systems

Blue Coat empowers enterprises to safely and securely choose the best applications, services, devices, data sources, and content the world has to offer, so they can create, communicate, collaborate, innovate, execute, compete and win in their markets. Blue Coat has a long history of protecting organizations, their data and their employees and is the trusted brand to 15,000 customers worldwide, including 86 percent of the FORTUNE Global 500. With a robust portfolio of intellectual property anchored by more than 200 patents and patents pending, the company continues to drive innovations that assure business continuity, agility and governance.

Bronze Sponsors

AirWatch by VMware

AirWatch by VMware is the leader in enterprise mobility management, with more than 10,000 global customers. The AirWatch platform includes industry-leading mobile device, email, application, content, and browser management solutions. Acquired by VMware in February 2014, AirWatch is based in Atlanta and can be found online at http://www.air-watch.com/

Utilizing its proven and comprehensive methodology in conjunction with its adaptive and responsive client service – NetSPI is more than a vendor, its partner you can trust with your most critical assets. More information is available at http://www.netspi.com/

Security Innovation

Security Innovation focuses on the most difficult IT Security problem, and the root cause of most data breaches — insecure software applications. For more than a decade, we’ve helped organizations build internal expertise, uncover critical vulnerabilities, and improve the process by which applications are built. The company’s solutions are based on the three pillars of a secure Software Development Lifecycle (SDLC), which feed into one another to create an ecosystem of repeatable, secure software development: Standards, Education, and Assessment. Our flagship products include TeamProfessor, the industry’s largest library of application security eLearning courses, and TeamMentor, “out of the box” secure development standards. For more information visit: https://www.securityinnovation.com/

Wombat Security Technologies

Wombat Security Technologies provides information security awareness and training software to help organizations teach their employees secure behavior. Their SaaS cyber security education solution includes a platform of integrated broad assessments, and a library of simulated attacks and brief interactive training modules, to reduce employee susceptibility to attack, even phishing attacks, over 80%.
Thank you for attending the Security Leader’s Summit in New York on September 10. We hope you had as many valuable and enlightening discussions as we did at the event. In case we didn’t get a chance to talk here’s a little bit about Wombat Security Technologies.

We help organizations teach their employees how to avoid cyber-attacks. You can change employee behavior and reduce organizational risk. You can implement a complete program through our Security Education Platform which includes knowledge assessments and mock attacks, a library of interactive training modules, awareness materials, and detailed reporting.

Our customers have achieved a 9x ROI within 6 months by significantly reducing malware infections and successful phishing attacks from the wild. You can too.

Wi-Fi Sponsors

SAINT Corporation

SAINT Corporation, a global leader in network security, offers the SAINT security suite including integrated vulnerability assessment, penetration testing, compliance reporting, and configuration assessment. Examine your network with the SAINT vulnerability scanner, and expose where an attacker could breach your network. Go to a higher level of visibility with penetration testing tools and exploit the vulnerability to prove its existence without a doubt.

SAINT can help to –
• Manage and reduce security risks to your enterprise
• Document compliance with government and industry regulations like PCI, NERC, HIPAA, SOX, FISMA, and with internal policies.
• Emulate potential attackers with the suite of exploit tools.
• Perform configuration audits with policies defined by FDCC & USGCB.

SAINT software is available to download, as a cloud service (SAINTCloud), or preloaded on an appliance (SAINTbox). The software includes enterprise functionality; customizable dashboards and data analysis; and a friendly interface. For more information, visit http://www.saintcorporation.com/

SecureAuth

Located in Irvine, California, SecureAuth is a technology leader and creator of the award-winning SecureAuthIdP that uniquely delivers multi-factor authentication and single sign-on together in a powerful solution for mobile, cloud, web, and network resources without requiring supplementary components or add-ons. For more information visit: http://www.secureauth.com/

Hosts

The Security Leaders Summit New York Fall 2014 was hosted by information security and IT executives from across the region. The Summit Hosts served as the face of the Summit and throughout the day, they shared their insights during presentations, interactive sessions, and facilitate peer-to-peer executive roundtable discussions. The hosts were:

New Zealand-born Justine is risk specialist with background in vulnerability research, IT management, and classical ballet. Since 2013 she has been employed by Dow Jones as Chief Information Security Officer and head of Technology Special Projects. In this role Justine is responsible for global Information Security as she helps evolve the Dow Jones’ product lines, including Factiva and the Wall Street Journal. In previous roles Justine was CEO of Immunity, Inc, Head of Security at Bloomberg L.P., a consultant and researcher with Internet Security Systems (now IBM) X-Force, and New Zealand’s Government Communications Security Bureau. She was also a professional dancer with the Royal New Zealand Ballet Company. Justine is based in New York City and Miami.

Mr. Bearman works at Towers Watson as the CISO with responsibility for both Information and Physical Security. Mr. Bearman is responsible for ensuring appropriate security is in place to protect corporate and client assets in over 140 offices across more than 25 countries.

Mr. Bearman works hand in hand with all lines of business, data privacy, audit, compliance, and legal to coordinate, execute, and govern the corporate Information Security program. Current responsibilities in this position include: managing the corporate information security program; defining strategy; coordinating security initiatives efforts across lines of business, audit oversight, incident management, and IT risk management; and reporting information security program status to the board of directors and various leadership committees.

Mr. Bearman has over 25 years of information systems experience and has been involved with various aspects of Information Security for over 18 years. Prior to working at Towers Watson/Towers Perrin, Todd was the Director of Information Security at Commerce Bank (now TD Bank). Previously, Todd has spent much of his career as a consultant, where he last was responsible for managing the Information Security practice at Schlumberger Ltd, a global oilfield services organization. He has also had various consulting engagements as well as several years of banking experience at CoreStates Bank (now Wachovia). Mr. Bearman has successfully leveraged his broad base of security expertise and experience with his strong business sense to empower companies to protect their information assets while managing information risk and business costs and impacts.

Todd has been invited to participate on several panels and presented security lectures for various organizations including Gartner, Symantec, NJ CIO Forum, NJ Technology Forum, and the Information Security World Conference, CISO Summit, and PwC State of Security Panel. Todd has also been featured in multiple articles including in Information Technology and Security magazine and CIO-Leader.com. He earned his BS in Marketing from Monmouth University.

Matt Comyns is the global co-head of the Cyber Security practice and a leader in the Digital Transformation practice. In Cyber Security, Matt recruits Chief Information Security Officers, senior consultants, and niche leaders (Head of Fraud Prevention, etc) for large global corporations, leading professional services companies, and fast growing private companies. Matt also has a successful track record of recruiting digital leaders for public and private technology companies and non-tech companies who are seeking transformative digital talent. Based in Stamford CT, Matt also has experience recruiting technology and digital leaders in the E-Commerce and B2B information sectors.

Kostas Georgakopoulos has led Global Information Security Programs for large Financial Services firms such as NASDAQ OMX, Bank of China and Deutsche Bank. Georgakopoulos is currently US Regional Manager Security IT at UBS. His experience is focused on global information security, privacy and governance frameworks, policies, procedures, guidelines and standards. He has evaluated various industry best practices, including NIST, ISO, SANS, COBIT and CERT, as well as legislative and regulatory compliance requirements, including SOX, GLBA, PCI, HIPPA, EU Data Directive and FFIEC.

Ray Hawkins is the Chief Information Security Officer for Genesis Healthcare, the largest provider of long-term healthcare services in the United States. He has over fifteen years of experience in Information Security across a number of industry sectors, public sector and consulting. In his leadership role Ray provides guidance and direction in all matters related to data protection, regulatory compliance, risk management, litigation support, e-discovery, and incident management.

Ray holds a number of professional certifications and is currently pursuing a PhD. in Information Security. Outside of work he focuses his time on wife and two kids and is an active Brazilian Jiu-Jitsu competitor.

John Hibbs is a native of Fairmont WV and graduated from West Virginia University with a degree in Mechanical Engineering in 1993. He was commissioned as an Ensign in the United States Navy via Officer Candidate School in the same year.

He was subsequently designated as a Surface Warfare Officer where he served as the Communications and Auxiliaries Officer in USS VELLA GULF (CG-72) and the Navigator and Fire Control Officer in USS SCOTT (DDG-995).

John then transitioned to the U.S. Navy Information Warfare community in 1998 and was assigned to the National Security Agency where he served in a variety of operational positions. In 2001, he reported to the staff of U.S. Naval Forces Europe where he served as the Information Operations Department Head and participated in OPERATION IRAQI FREEDOM planning efforts,

John next served as the Executive Officer at Navy Information Operations Command Texas. During this period, he oversaw a command expansion from 220 to 530 personnel and the command earned the NSA Director’s Trophy for operational excellence.

John was then assigned to the staff of U.S. Fleet Forces Command where he managed all Fleet Cyber requirements. He then reported to the Navy Cyber Defense Operations Command as the Operations Officer and ran all US Navy Cyber Security operations.

In 2012, John transitioned from the Navy in 2012 and joined GE Capital as the Chief Information Security Officer.

In addition to his engineering degree, John has a Masters Degree in Information Technology Management from Central Michigan University, a Masters Degree in National Security and Strategic Studies from the Naval War College, and a Masters of Business Administration from the Darden School at the University of Virginia.

John is married to the former Irene Leporini of Orlando, FL and they have five children: Claudia, Liam, Avery, Jillian, and Mason. Interests include incessantly chasing his offspring, community service, and reading.

Anthony Johnson is Fannie Mae’s Vice President and Chief Information Security Officer, reporting jointly to the Vice President for Risk Continuity and Security and the Senior Vice President and Chief Information Officer. Johnson is responsible for overseeing the security of the company’s information and confidential data, while defining and ensuring compliance with security protection policies. His oversight includes real-time threat monitoring, and responding to cyber risks and emerging threats.

Before joining Fannie Mae in May 2014, Johnson was General Electric Treasury’s Chief Information Security Officer, with responsibility for cyber security global operations, intelligence, incident response, vulnerability remediation, and technical risk reduction. Previously, he held various security-related positions with Fortune 500 companies, consulting firms, and the U.S. Air Force.

Johnson has a bachelor of science in computer information systems from Regis University and a master of business administration in management from Indiana University’s Kelley School of Business.

Shardul joined Index in 2008. His focus is on infrastructure, security and software. Shardul’s board involvement includes Datadog, Outbrain, Lacoon and Adallom. He has also supported investments in Moleskine, Squarespace, Dropbox, Centrify, Stack Exchange, Erply, Zend, Ariad (ARIA), and Micromet (acquired by Biogen). He holds a BA in Economics and a BA in Biology, with a specialization in Immunology, from the University of Chicago.

Deborah A. Snyder serves as Acting Chief Information Security Officer (CISO) for the New York State Office of Information Technology Services (ITS). In her role as Acting CISO, she directs the Enterprise Information Security Office’s comprehensive governance, risk management and compliance program. She provides business-aligned strategic leadership and vision, promoting industry standards and risk-based investments to maximize business opportunity and minimize risk.

From November 2001 to November 2012, she served as the Chief Information Security Officer for the New York State Office of Temporary and Disability Assistance (OTDA), where she established and led the agency’s Information Security Office and comprehensive Information Security Assurance Program. She informed and advised executive management on security governance, risk and compliance, and managed a portfolio of initiatives designed to increase awareness, mitigate risk, optimize protection of information assets and prevent, detect and recover from incidents.

Ms. Snyder has extensive experience in state and local government program administration, information technology and information security services. Prior to serving as the agency’s CISO, Ms. Snyder served as the Director of Human Services Modernization, leading program reform, redesign and system modernization initiatives encompassing multiple agencies and systems, managing state programs, IT, and vendor resources to deliver innovative program and technology solutions.

Ms. Snyder is an active participant and contributor to the IT and Information Security community. She has championed efforts to strengthen the State’s information security posture and advance the profession at large. She has served as Co-Chair of the NYS Forum Information Security Work Group, VP of Education for the local ISACA Chapter, and is a member of the Project Management Institute, InfraGard, Information Systems Security Association (ISSA), Information Systems Audit and Control Association (ISACA), and the Institute of Internal Auditors (IIA). She co-authored the book entitled “SECURE – Insights From The People Who Keep Information Safe,” which offers industry leaderships insights and perspective, and has received recognition for excellence in government information services, and outstanding contributions to the field of information security and cyber security. She is a highly regarded speaker and instructor on topics critical to executive-level business and IT professionals.

Ms. Snyder graduated from the State University of New York at Albany, and holds several industry certifications including Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), SANS Global Information Assurance Certification in Security Leadership (GIAC GSLC) and Project Management Professional (PMP).

John Whiting is an established IT and Security Executive, Strengths include evaluating and aligning technology investments with organizational goals to support continued growth, technology strategy, Data Privacy, Information security Governance , Security Risk, Vendor Third party Risk Governance , business development, human capital development for twenty Years. Currently, employed at American International Group as the BISO (Business Information Security Officer) for Global Corporate and Human Resources. Also, on the SIG / Shared Assessment committees for (VRMM) Vendor Risk Maturity Model and Vendor Privacy.

ViJay serves on various Industry & Professional advisory boards; He is a progressive thought leader and a featured speaker at Security Industry events and regular author for Industry publications. He is also a strategic advisor for early and growth stage technology start-ups and provides research and intelligence to venture capital and private equity groups.

He is also the principal architect of Supply Chain Security Framework and is presently engaged in publishing an industry reference framework for Intelligence driven Risk Management.

ViJay holds multiple product certifications, is Six Sigma certified, received his B.S. in electronics from Osmania University, India and Executive Business leadership and finance management program from Cornell University.

Teresa is responsible for the strategic leadership of GE information security programs and Risk in Power and Water, including incident response, government relations, cyber intelligence, application & system security, and controllership & governance. She has been the CISO since October, 2013 and recently took over Risk in July 2014. GE Power and Water is a $28B business with 42,000 employees in over 100 locations. Prior to this role, Teresa led the Security Design Team across Aviation and Energy for 4 years where she was responsible for defining strategy and standards along with leading new technology implementations for critical security technologies.

Teresa has been with GE for 15 years and began her career in Energy as a Black Belt. She held various positions in Information Technology as the Quality leader supporting ERP, Product Lifecycle Manager supporting engineering operations, and the Quality Control Manager for TSG (Technical Services Group). Prior to moving into cyber security, she managed the Energy and Oil & Gas Build team, responsible for the implementation of large-scale CIO and network connectivity projects.

Teresa holds a Master of Science degree in Statistics and a Bachelor of Science in Math/Physics from the State University of New York, Albany.

Time

Description

7:30am – 8:30am

Registration Opens with Breakfast Buffet and Networking in the Sponsor Pavilion

Rendezvous Ballroom

8:30am – 8:40am

Transition to Ballroom

8:40am – 9:00am

Welcome and Opening Remarks

Trianon Ballroom

9:00am – 9:35am

“Opening Keynote – The Rising Value of the CISO”

Matt Comyns is the global co-head of the Cyber Security practice and a leader in the Digital Transformation practice. In Cyber Security, Matt recruits Chief Information Security Officers, senior consultants, and niche leaders (Head of Fraud Prevention, etc) for large global corporations, leading professional services companies, and fast growing private companies. Matt also has a successful track record of recruiting digital leaders for public and private technology companies and non-tech companies who are seeking transformative digital talent. Based in Stamford CT, Matt also has experience recruiting technology and digital leaders in the E-Commerce and B2B information sectors.

In the morning Opening Keynote, Matt Comyns, Global Co-head of the Cyber Security Practice and a leader in the Digital Transformation practice at Russell Reynolds Associates, will share his insights into the CISO of the future, the increasing value of the role to the business, the shift in compensation to align with the increased value, his discussions with the C Suite, and what separates the top tier CISOs from the rest.

Russell Reynolds Associates is an executive leadership and search firm, serving clients globally for 45 years. The company advises clients on recruiting and retaining outstanding and impactful leaders.

Trianon Ballroom

9:35am – 10:15am

“Game Changers – Leadership Challenges”

New Zealand-born Justine is risk specialist with background in vulnerability research, IT management, and classical ballet. Since 2013 she has been employed by Dow Jones as Chief Information Security Officer and head of Technology Special Projects. In this role Justine is responsible for global Information Security as she helps evolve the Dow Jones’ product lines, including Factiva and the Wall Street Journal. In previous roles Justine was CEO of Immunity, Inc, Head of Security at Bloomberg L.P., a consultant and researcher with Internet Security Systems (now IBM) X-Force, and New Zealand’s Government Communications Security Bureau. She was also a professional dancer with the Royal New Zealand Ballet Company. Justine is based in New York City and Miami.

Mr. Bearman works at Towers Watson as the CISO with responsibility for both Information and Physical Security. Mr. Bearman is responsible for ensuring appropriate security is in place to protect corporate and client assets in over 140 offices across more than 25 countries.

Mr. Bearman works hand in hand with all lines of business, data privacy, audit, compliance, and legal to coordinate, execute, and govern the corporate Information Security program. Current responsibilities in this position include: managing the corporate information security program; defining strategy; coordinating security initiatives efforts across lines of business, audit oversight, incident management, and IT risk management; and reporting information security program status to the board of directors and various leadership committees.

Mr. Bearman has over 25 years of information systems experience and has been involved with various aspects of Information Security for over 18 years. Prior to working at Towers Watson/Towers Perrin, Todd was the Director of Information Security at Commerce Bank (now TD Bank). Previously, Todd has spent much of his career as a consultant, where he last was responsible for managing the Information Security practice at Schlumberger Ltd, a global oilfield services organization. He has also had various consulting engagements as well as several years of banking experience at CoreStates Bank (now Wachovia). Mr. Bearman has successfully leveraged his broad base of security expertise and experience with his strong business sense to empower companies to protect their information assets while managing information risk and business costs and impacts.

Todd has been invited to participate on several panels and presented security lectures for various organizations including Gartner, Symantec, NJ CIO Forum, NJ Technology Forum, and the Information Security World Conference, CISO Summit, and PwC State of Security Panel. Todd has also been featured in multiple articles including in Information Technology and Security magazine and CIO-Leader.com. He earned his BS in Marketing from Monmouth University.

Anthony Johnson is Fannie Mae’s Vice President and Chief Information Security Officer, reporting jointly to the Vice President for Risk Continuity and Security and the Senior Vice President and Chief Information Officer. Johnson is responsible for overseeing the security of the company’s information and confidential data, while defining and ensuring compliance with security protection policies. His oversight includes real-time threat monitoring, and responding to cyber risks and emerging threats.

Before joining Fannie Mae in May 2014, Johnson was General Electric Treasury’s Chief Information Security Officer, with responsibility for cyber security global operations, intelligence, incident response, vulnerability remediation, and technical risk reduction. Previously, he held various security-related positions with Fortune 500 companies, consulting firms, and the U.S. Air Force.

Johnson has a bachelor of science in computer information systems from Regis University and a master of business administration in management from Indiana University’s Kelley School of Business.

In this interview session, Todd Bearman, Chief Information Security Officer of Towers Watson, will facilitate discussions with Justine Aitel, Chief Information Security Officer at Dow Jones & Company, and Anthony Johnson, VP & Chief Information Security Officer at Fannie Mae, on how they are moving their organizations to the next level, partnering better with the business, and enabling employees to truly be part of a borderless enterprise.

As the Director of Evangelism, Grant brings more than 30 years of experience in sales, marketing and management to Blue Coat. Prior to joining the company, Grant was head of market development and sales for Altor Networks, which was acquired by Juniper Networks.

Before joining Altor Networks, he was vice president, enterprise sales for NeuStar. Earlier, he was president and CEO of MetaInfo and successfully sold the company to NeuStar. Grant was the worldwide senior product evangelist for Check Point, which he joined after the company acquired MetaInfo.

Over a 90 day period, of the 660M new Hostnames, 470M existed 24 hours or less. While most of these are legitimate and exist to deliver a better user experience, there is a darker side. Of the top 50 domains responsible for these ‘one-day-wonders’ fully 22% were identified as malicious. This tactic is popular with cyber criminals because they 1.) Keep security solutions guessing since dynamic domains are harder to thwart than static domains. 2.) Overwhelm security solutions by generating a high volume of domains increasing the chances some percentage will be missing security controls and 3.) Hide from security solutions simply by combining ‘one-day-wonders’ with encryption and running incoming malware and/or outgoing data theft over SSL.

This presentation will discuss:
• Why organizations should utilize security controls with real-time global intelligence in order to identify One-Day-Wonders
• Why organizations should have solutions in place that comprehensively assess and assign a risk value based on multiple factors including context around domains, IP address, site popularity
• The need for a baseline of hostnames for rapid detection of anomalies
• Highly granular policy controls must include detailed policy creation, threat risk levels and hostname baselines to help automate defenses and fortify security postures
• Why ETM (Encrypted Traffic Management) is rapidly becoming a top priority for enterprises in order to expose vulnerabilities and risks as a result of the significant increase in use of SSL

Trianon Ballroom

11:25am – 12:00pm

“Trends from an Investor’s Perspective”

Shardul joined Index in 2008. His focus is on infrastructure, security and software. Shardul’s board involvement includes Datadog, Outbrain, Lacoon and Adallom. He has also supported investments in Moleskine, Squarespace, Dropbox, Centrify, Stack Exchange, Erply, Zend, Ariad (ARIA), and Micromet (acquired by Biogen). He holds a BA in Economics and a BA in Biology, with a specialization in Immunology, from the University of Chicago.

Index Ventures is a global venture capital firm, focused on making investments in information technology and life sciences companies. In this interview session, Summit Emcee, Richard Warner, will ask Shardul Shah, Principal at Index Ventures, to bring to light what is going on in the information security industry relative to trends, direction of products coming to market, and what a company like his looks for and invests in as far as the “next big idea.” Shardul leads Index’ security practice, which has invested over $50m in security startups in the last 18 months.

ViJay serves on various Industry & Professional advisory boards; He is a progressive thought leader and a featured speaker at Security Industry events and regular author for Industry publications. He is also a strategic advisor for early and growth stage technology start-ups and provides research and intelligence to venture capital and private equity groups.

He is also the principal architect of Supply Chain Security Framework and is presently engaged in publishing an industry reference framework for Intelligence driven Risk Management.

ViJay holds multiple product certifications, is Six Sigma certified, received his B.S. in electronics from Osmania University, India and Executive Business leadership and finance management program from Cornell University.

ViJay Viswanathan, CISO of HD Supply with over $8.5 billion in sales, has been on a multi-year journey creating and implementing a unique Intelligence driven Risk Management Framework. ViJay will explore the requirements, benefits and challenges of developing the Intelligent driven Risk Management practice that will include –

1. Threat recognition and predictive analytics
2. The use of big data analytics to give context to SIEM
3. Right information, at the right time, at the right place

Trianon Ballroom

1:50pm – 3:00pm

Executive Roundtable Discussions Facilitated by Summit Hosts

Breakout sessions with your peers on topics determined by attendees during registration. The topics are facilitated by the Summit Hosts.

Deborah A. Snyder serves as Acting Chief Information Security Officer (CISO) for the New York State Office of Information Technology Services (ITS). In her role as Acting CISO, she directs the Enterprise Information Security Office’s comprehensive governance, risk management and compliance program. She provides business-aligned strategic leadership and vision, promoting industry standards and risk-based investments to maximize business opportunity and minimize risk.

From November 2001 to November 2012, she served as the Chief Information Security Officer for the New York State Office of Temporary and Disability Assistance (OTDA), where she established and led the agency’s Information Security Office and comprehensive Information Security Assurance Program. She informed and advised executive management on security governance, risk and compliance, and managed a portfolio of initiatives designed to increase awareness, mitigate risk, optimize protection of information assets and prevent, detect and recover from incidents.

Ms. Snyder has extensive experience in state and local government program administration, information technology and information security services. Prior to serving as the agency’s CISO, Ms. Snyder served as the Director of Human Services Modernization, leading program reform, redesign and system modernization initiatives encompassing multiple agencies and systems, managing state programs, IT, and vendor resources to deliver innovative program and technology solutions.

Ms. Snyder is an active participant and contributor to the IT and Information Security community. She has championed efforts to strengthen the State’s information security posture and advance the profession at large. She has served as Co-Chair of the NYS Forum Information Security Work Group, VP of Education for the local ISACA Chapter, and is a member of the Project Management Institute, InfraGard, Information Systems Security Association (ISSA), Information Systems Audit and Control Association (ISACA), and the Institute of Internal Auditors (IIA). She co-authored the book entitled “SECURE – Insights From The People Who Keep Information Safe,” which offers industry leaderships insights and perspective, and has received recognition for excellence in government information services, and outstanding contributions to the field of information security and cyber security. She is a highly regarded speaker and instructor on topics critical to executive-level business and IT professionals.

Ms. Snyder graduated from the State University of New York at Albany, and holds several industry certifications including Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), SANS Global Information Assurance Certification in Security Leadership (GIAC GSLC) and Project Management Professional (PMP).

Information security leaders are now being drawn into C suite and board discussions more than ever before. With conversations shifting from blocking and tackling measures to discussions focused on threat landscapes, impacts from changing business scenarios, and importantly, the evaluation of risk, the maturity of an effective information security program has emerged as a top priority for most enterprises. Senior management and the board want to ensure customers’ trust in online systems are not undermined, the brand is not threatened, and that the company is not held back from forging a new direction or strategy. With this maturity comes the movement from CISOs setting a “security” strategy to now determining the business strategy for their organizations.

In this roundtable discuss the following with your peers:

How are security organizations articulating their value to senior management and the board in areas such as attracting and retaining customers, fostering innovation, maintaining or growing competitive advantage? What other areas reflect the value your organization brings?

In terms of discussions with C level executives and/or the board, what is your organization doing to provide them confidence in your processes, people and technology?

What are best practices for a security organization in terms of validating the understanding of business priorities in order to move from a security strategy to a “business strategy?”

What are key areas to focus on in developing a business strategy for your organization that are different from a security strategy?

In terms of preparing for the future, what types of conversation now should be held with upper management that are now different from what was discussed in the past?

Kostas Georgakopoulos has led Global Information Security Programs for large Financial Services firms such as NASDAQ OMX, Bank of China and Deutsche Bank. Georgakopoulos is currently US Regional Manager Security IT at UBS. His experience is focused on global information security, privacy and governance frameworks, policies, procedures, guidelines and standards. He has evaluated various industry best practices, including NIST, ISO, SANS, COBIT and CERT, as well as legislative and regulatory compliance requirements, including SOX, GLBA, PCI, HIPPA, EU Data Directive and FFIEC.

Cyber resilience is now considered a business imperative and a strategic component of a business or organization’s strategy. With breaches making headlines, a company’s reputation and economic viability is put at risk. Perhaps most concerning about companies at risk is that according to recent survey findings, only one third of organizations detect their own breaches. And, once an organization is targeted, some 38% are attacked again once the original incident was remediated.

Commercial and government organizations of all sizes are taking steps to determine whether or not they are under attack, measure the scope of the attack, assess the damage, and determine how to place prevention in place for the future. Dealing with APTs takes a new mindset, a deeper understanding of the attacker’s approach, and a full arsenal of tools. This is taking security to a whole new level.

In this roundtable discuss the following with your peers:

To what extent are you actively working to determine whether or not your organization is in the cross-hairs of an APT attack? What specifically are you doing?

How difficult has it been to educate your executive team about the prevalence of APTs and the threat they pose to your organization? What methods have you used to ensure support for your efforts to gather global threat intelligence, perform surveillance and investigation, and take counter measures?

Has the focus on detecting and thwarting APTs changed your security investment priorities? Are you dedicating specialized resources to dealing with APTs? If so, what impact does that have on other areas of security investment?

To what extent are you leveraging user education to avoid spear phishing and other social engineering attacks that are increasingly used to gain a foothold within the organization?

What technologies, procedures and policies are working to detect and respond to APTs in your organization?

John Hibbs is a native of Fairmont WV and graduated from West Virginia University with a degree in Mechanical Engineering in 1993. He was commissioned as an Ensign in the United States Navy via Officer Candidate School in the same year.

He was subsequently designated as a Surface Warfare Officer where he served as the Communications and Auxiliaries Officer in USS VELLA GULF (CG-72) and the Navigator and Fire Control Officer in USS SCOTT (DDG-995).

John then transitioned to the U.S. Navy Information Warfare community in 1998 and was assigned to the National Security Agency where he served in a variety of operational positions. In 2001, he reported to the staff of U.S. Naval Forces Europe where he served as the Information Operations Department Head and participated in OPERATION IRAQI FREEDOM planning efforts,

John next served as the Executive Officer at Navy Information Operations Command Texas. During this period, he oversaw a command expansion from 220 to 530 personnel and the command earned the NSA Director’s Trophy for operational excellence.

John was then assigned to the staff of U.S. Fleet Forces Command where he managed all Fleet Cyber requirements. He then reported to the Navy Cyber Defense Operations Command as the Operations Officer and ran all US Navy Cyber Security operations.

In 2012, John transitioned from the Navy in 2012 and joined GE Capital as the Chief Information Security Officer.

In addition to his engineering degree, John has a Masters Degree in Information Technology Management from Central Michigan University, a Masters Degree in National Security and Strategic Studies from the Naval War College, and a Masters of Business Administration from the Darden School at the University of Virginia.

John is married to the former Irene Leporini of Orlando, FL and they have five children: Claudia, Liam, Avery, Jillian, and Mason. Interests include incessantly chasing his offspring, community service, and reading.

Applications are at the heart of our world – driving sales and profits, holding intellectual property and delivering customer satisfaction. But they are fast becoming the preferred attack vector of hackers. We often wonder what tools are effective to detect security flaws in applications, and to protect against flawed applications. It’s a fact of life: software companies produce insecure code.

Many different approaches to application security have been tried, yet still, the root cause of many data breaches come via applications. A better environment of solutions needs to be built that feeds into one another to create an ecosystem of repeatable, secure software development and deployment based on standards, education, and assessment.

In this roundtable discuss the following with your peers:

Specific to application security, what standards have you put in place to align development activities with policies and compliance mandates? Discuss how your standards have evolved.

In terms of education for the application development staff, what tools or processes do you find most useful to ensure higher levels of application security from this group?

John Whiting is an established IT and Security Executive, Strengths include evaluating and aligning technology investments with organizational goals to support continued growth, technology strategy, Data Privacy, Information security Governance , Security Risk, Vendor Third party Risk Governance , business development, human capital development for twenty Years. Currently, employed at American International Group as the BISO (Business Information Security Officer) for Global Corporate and Human Resources. Also, on the SIG / Shared Assessment committees for (VRMM) Vendor Risk Maturity Model and Vendor Privacy.

Protecting critical data and systems is a big problem, but it’s only half the problem: organizations must also ensure they are in compliance with the growing number of privacy laws and other regulations. Doing so is costly. IT departments spent an inordinate amount of time collecting data and building reports to prove they had the right security measures and process controls in place. Proving a non-event requires tracking and reporting every action taken to secure the systems, networks, and data involved. Studies have found that over 85% of respondents state that dealing with regulatory compliance and industry standards – including ISO, PCI DSS and HIPAA – takes up to 50 percent of their work week.

What’s the answer? Make the investment in manual processes? Attempt to integrate various technologies into cohesive solutions? Spend time being reactive, rather than investing for tomorrow? Is there a better way to both adhere to regulations and prove adherence?

In this roundtable discuss the following with your peers:

How do you deal with the overwhelming amount of time it takes to verify compliance? Are there tools or processes that make it manageable?

What steps are you taking in the near term to lower the cost of compliance? What results have you seen to date?

How concerned are you about the need to comply with regulations from several countries, in addition to your home base? What best practices can you share that make compliance easier?

Do you rely on others (subordinates, other departments) to help verify compliance? If so, how do you accomplish (and justify) the training, procedures, policies and other preparatory work that must be done to ensure quality work?

Ray Hawkins is the Chief Information Security Officer for Genesis Healthcare, the largest provider of long-term healthcare services in the United States. He has over fifteen years of experience in Information Security across a number of industry sectors, public sector and consulting. In his leadership role Ray provides guidance and direction in all matters related to data protection, regulatory compliance, risk management, litigation support, e-discovery, and incident management.

Ray holds a number of professional certifications and is currently pursuing a PhD. in Information Security. Outside of work he focuses his time on wife and two kids and is an active Brazilian Jiu-Jitsu competitor.

The controversy over the usefulness of security awareness programs continues to rage. Many corporations invest heavily in employee security awareness campaigns, while others take a very targeted approach that focuses on a single component. C an a single video, or a phishing simulation, really bring about a change in user behavior? Research shows that, just as with any successful campaign, information needs to be presented multiple times, and in multiple different formats in order to begin to sink in. Posters, blogs, tweeting, newsletters, computer-based training, contests, websites, digital signage, reminders– all play a role in bringing about lasting change in behavior.

While security experts are divided, there is a growing body of evidence that properly constructed security awareness programs actually yield results. They get people to implement secure practices into their daily activities, based on an understanding of good practices. Recent trends include the use of gaming as part of the security awareness program, designed to engage younger audiences and correlate with the way they learn.

In this roundtable discuss the following with your peers:

What methods have proven most effective in your efforts to increase the level of security awareness among users?

In your experience, what is the best mix of formats and frequency of contact in order to achieve rapid yet lasting results? How important is social media?

What innovative methods have you used to increase the level of security awareness, as well as to instill safe computing practices?

Some security awareness programs are designed to only address user behavior at work, while others extend beyond, to other aspects of the users’ life. What are optimal ways to extend the reach of security awareness and training programs?

Which is more effective: mandatory security training, or voluntary self-enrollment and self-service? How do you measure the success of each?

Topic 6: Leveraging the Cloud for Business Agility While Managing Risks

Teresa is responsible for the strategic leadership of GE information security programs and Risk in Power and Water, including incident response, government relations, cyber intelligence, application & system security, and controllership & governance. She has been the CISO since October, 2013 and recently took over Risk in July 2014. GE Power and Water is a $28B business with 42,000 employees in over 100 locations. Prior to this role, Teresa led the Security Design Team across Aviation and Energy for 4 years where she was responsible for defining strategy and standards along with leading new technology implementations for critical security technologies.

Teresa has been with GE for 15 years and began her career in Energy as a Black Belt. She held various positions in Information Technology as the Quality leader supporting ERP, Product Lifecycle Manager supporting engineering operations, and the Quality Control Manager for TSG (Technical Services Group). Prior to moving into cyber security, she managed the Energy and Oil & Gas Build team, responsible for the implementation of large-scale CIO and network connectivity projects.

Teresa holds a Master of Science degree in Statistics and a Bachelor of Science in Math/Physics from the State University of New York, Albany.

There’s universal understanding that moving data, applications and services to the cloud can result in big cost savings and increased organizational agility. Initial reluctance to migrate, based fears related to general security, reliability and control, has given way to widespread adoption.

Now it’s time to take a deeper look at the real security concerns that have now emerged as the cloud takes center stage. In large part, they revolve around trust: can we trust the cloud provider to ensure secure storage (encryption of data, protection while in use and in transit), access control and authentication, and secure interfaces? Are we doing enough due diligence to ensure we are not taking on unknown levels of risk, or do we suffer from an incomplete understanding of the cloud service provider environment, and the applications, data and services being moved to the cloud?

In this roundtable discuss the following with your peers:

Briefly discuss as a group how your cloud strategy is evolving and what is driving the change?

Has the risk appetite for organizations changed as cloud strategies have become more prevalent?

How are you defining and measuring the risk appetite for your business as it relates to moving to the cloud?

With concerns around data privacy and lack of trust made loud and clear with Snowden/NSA have there been discussions at your company that will cause you to scale back on cloud adoption?

In planning for the future, what are the strategies you see evolving that will help you to leverage the cloud for speed to market and lower costs?

Mr. Bearman works at Towers Watson as the CISO with responsibility for both Information and Physical Security. Mr. Bearman is responsible for ensuring appropriate security is in place to protect corporate and client assets in over 140 offices across more than 25 countries.

Mr. Bearman works hand in hand with all lines of business, data privacy, audit, compliance, and legal to coordinate, execute, and govern the corporate Information Security program. Current responsibilities in this position include: managing the corporate information security program; defining strategy; coordinating security initiatives efforts across lines of business, audit oversight, incident management, and IT risk management; and reporting information security program status to the board of directors and various leadership committees.

Mr. Bearman has over 25 years of information systems experience and has been involved with various aspects of Information Security for over 18 years. Prior to working at Towers Watson/Towers Perrin, Todd was the Director of Information Security at Commerce Bank (now TD Bank). Previously, Todd has spent much of his career as a consultant, where he last was responsible for managing the Information Security practice at Schlumberger Ltd, a global oilfield services organization. He has also had various consulting engagements as well as several years of banking experience at CoreStates Bank (now Wachovia). Mr. Bearman has successfully leveraged his broad base of security expertise and experience with his strong business sense to empower companies to protect their information assets while managing information risk and business costs and impacts.

Todd has been invited to participate on several panels and presented security lectures for various organizations including Gartner, Symantec, NJ CIO Forum, NJ Technology Forum, and the Information Security World Conference, CISO Summit, and PwC State of Security Panel. Todd has also been featured in multiple articles including in Information Technology and Security magazine and CIO-Leader.com. He earned his BS in Marketing from Monmouth University.

According to Gartner by 2016, 25% of large global companies will have adopted big data analytics for at least one security or fraud detection use case, up from 8% today, and will achieve a positive return on investment within the first six months of implementation. Big data analytics gives enterprises faster insight into data more than ever before and enables enterprises to combine and correlate external and internal information to see a bigger picture of threats against their enterprises.

Security devices and tools abound in today’s networks. Even a mid-sized company will likely have more than 500 separate security tools and devices, producing vast quantities of data on security events. But most operate in virtual silos, making it almost impossible to monitor security threats across the IT environment. How can we make sense of the massive amount of data available, and distinguish between a security event, an attack and a true security incident that is worth our attention? Plowing through all the data to find the actual incidents can be next to impossible, without advanced visibility and security intelligence to show what is happening and highlight the true threat environment.

In this roundtable discuss the following with your peers:

As information security organizations prepare to start leveraging big data, what are the major obstacles or challenges that have to be overcome?

Most organizations face immense challenges with the growing number of events relative to cyber-crimes and cyber based terrorism. Where is the right starting point to leverage big data to for use in mitigation efforts?

Analyzing data can help uncover facts and patterns previously not understood which moves an organization from hindsight to insight. What are best practices for building an effective framework to gather intelligence and insight in order to be proactive and predictive?

In terms of skills needed within a security organization to leverage big data, what are the requirements for a security organization? Is the work effort divided between staff for mitigation, predictive, etc or is it the same staff that handles all the analysis?

Gartner has stated that organizations should ensure that the continued investment in security products promote technologies that use approaches agile-based analysis, not static signature-based tools to threats or on the edge of the network. How are you working with your vendors to ensure they are positioning their products to prove the analysis needed?

As more security organizations begin to embrace the use of big data, how are organizations effectively integrating the use of big data into their overall security program as standard processes?

Breakout sessions continue as attendees move to another topic for discussion with their peers. At the end of the 2nd rotation, a debrief of the discussions on each of the topics will be provided by the Summit Hosts.

Trianon Ballroom

4:15pm – 4:30pm

Closing Remarks

Trianon Ballroom

4:30pm – 5:30pm

Reception in the Sponsor Pavilion with Prize Drawings

Rendezvous Ballroom

Venue

Hilton Avenue of the Americas

1335 Avenue of the Americas, New York, NY 10019
(212) 586-7000

Located in the heart of New York City, the Hilton New York is just steps away from New York’s premier attractions. Conveniently situated in Midtown Manhattan, the hotel is one of the most sophisticated New York hotels and is within walking distance of Times Square, Radio City Music Hall, Fifth Avenue shopping, the Broadway Theatre district, Central Park, The Museum of Modern Art (MOMA) and many more iconic New York landmarks.

Room Rate and How To Book

Select from a variety of modern, spacious guest rooms featuring on-demand entertainment and high-speed internet access. Upgrade to a suite and enjoy complimentary Executive Lounge access. This exquisite New York hotel provides a diverse choice of dining options.

Parking

Directions

On Avenue of the Americas (6th Ave.) between West 53rd and West 54th Streets. 53rd street is west bound and 54th street is east bound.Laguardia is 8 miles, JFK is 17 miles, Newark is 15 miles, Grand Central station is 15 minutes across town, Penn Station is 15 minutes downtown and Port Authority is 10 minutes downtown.

John F. Kennedy International Airport

Van Wyck Expressway North To Long Island Expressway (LIE) West and watch for signs to Queens Midtown Tunnel to 34th street . Go west accross 34th street to Avenue of the Americas (6th Avenue). Make a right and go up the Avenue to 53rd st.

Newark International Airport

Look for signs to New Jersey Turnpike (I-95 N) follow signs to Lincoln Tunnel, tunnel exits at west 40th street and 9th ave, drive east on 40th street to Avenue of the Americas and turn left on 53rd street

La Guardia Airport

Grand Central Parkway to Brooklyn Queens Expressway South to Long Island Expressway West. Follow signs for Queens Midtown Tunnel to 34th Street . Take 34th Street West to Avenue of the Americas (6th Avenue). Make a right and go to 53rd st.

If you are interested in sponsoring the event or would like more information about sponsor packages, please call 678-445-1919 or email us at info@execalliance.com.

Platinum Sponsor

About Blue Coat Systems

Blue Coat empowers enterprises to safely and securely choose the best applications, services, devices, data sources, and content the world has to offer, so they can create, communicate, collaborate, innovate, execute, compete and win in their markets. Blue Coat has a long history of protecting organizations, their data and their employees and is the trusted brand to 15,000 customers worldwide, including 86 percent of the FORTUNE Global 500. With a robust portfolio of intellectual property anchored by more than 200 patents and patents pending, the company continues to drive innovations that assure business continuity, agility and governance.

Bronze Sponsor

About AirWatch by VMware

AirWatch by VMware is the leader in enterprise mobility management, with more than 10,000 global customers. The AirWatch platform includes industry-leading mobile device, email, application, content, and browser management solutions. Acquired by VMware in February 2014, AirWatch is based in Atlanta and can be found online at www.air-watch.com.

Utilizing its proven and comprehensive methodology in conjunction with its adaptive and responsive client service – NetSPI is more than a vendor, its partner you can trust with your most critical assets.

About Security Innovation

Security Innovation focuses on the most difficult IT Security problem, and the root cause of most data breaches — insecure software applications. For more than a decade, we’ve helped organizations build internal expertise, uncover critical vulnerabilities, and improve the process by which applications are built. The company’s solutions are based on the three pillars of a secure Software Development Lifecycle (SDLC), which feed into one another to create an ecosystem of repeatable, secure software development: Standards, Education, and Assessment. Our flagship products include TeamProfessor, the industry’s largest library of application security eLearning courses, and TeamMentor, “out of the box” secure development standards.

About Wombat Security Technologies

Wombat Security Technologies provides information security awareness and training software to help organizations teach their employees secure behavior. Their SaaS cyber security education solution includes a platform of integrated broad assessments, and a library of simulated attacks and brief interactive training modules, to reduce employee susceptibility to attack, even phishing attacks, over 80%.

Wi-Fi Sponsor

About SAINT

SAINT Corporation, a global leader in network security, offers the SAINT security suite including integrated vulnerability assessment, penetration testing, compliance reporting, and configuration assessment. Examine your network with the SAINT vulnerability scanner, and expose where an attacker could breach your network. Go to a higher level of visibility with penetration testing tools and exploit the vulnerability to prove its existence without a doubt. SAINT can help to –

SAINT software is available to download, as a cloud service (SAINTCloud), or preloaded on an appliance (SAINTbox). The software includes enterprise functionality; customizable dashboards and data analysis; and a friendly interface. For more information, visit www.saintcorporation.com

About SecureAuth

Located in Irvine, California, SecureAuth is a technology leader and creator of the award-winning SecureAuth IdP that uniquely delivers multi-factor authentication and single sign-on together in a powerful solution for mobile, cloud, web, and network resources without requiring supplementary components or add-ons.